What You Need to Know About KRACK to Keep Data Safe

Author:
Barbara Palmer

Photo Caption: Adobe Stock

You may already have heard the buzz about KRACK. Last week, the United States Computer Emergency Readiness Team (U-CERT) disclosed that Wi-Fi-users are at risk for sharing unencrypted traffic with potential hackers due to a vulnerability of Wi-Fi protocols to KRACK — aka Key Reinstallation Attacks.

So what does KRACK mean for event planners?

“Imagine you have an event with 20,000 attendees and one advanced hacker in Wi-Fi range,” wrote Silke Fleischer, co-founder of ATIV Software, the developer of EventPilot conference apps. “When an attendee logs into your Wi-Fi, this attacker could intercept the traffic between the attendee’s devices and your Wi-Fi routers and inject code that modifies the web content presented to your attendee. For example, your attendees could be clicking on a changed link on your website that now directs to a malicious site that collects passwords and credit card details.

“While this is a pretty scary scenario,” Fleischer continued, “it’s not that new, as your Wi-Fi passwords are probably publicly available anyway — an injection like this was possible in the past. But KRACK is a good reminder of the risk that unsecured traffic can pose to you and your attendees.”

Your venue’s Wi-Fi equipment may be running on outdated equipment with outdated firmware, but many meeting planners aren’t equipped with the technical knowledge to determine whether or not the Wi-Fi setup at a venue is secure. “In my experience, most venues do not firewall or even manage network connections outside of using basic bandwidth caps,” said Matt Thayer, director at Presentation Management Systems. “Event planners seem to trust their venues — often unquestioningly — to deliver secure technology solutions, but it is actually pretty rare to see a venue with a qualified network engineer on staff.” A technical consultant knows to ask about AES vs. TKIP protocols and may also help you negotiate the fastest speed for the best price.

2. Contact your event’s Wi-Fi provider and ask about KRACK.

Affected router vendors received information about the vulnerability months before the public announcement, so firmware updates and patches are either already available or will soon be made available. Ask whether your venue Wi-Fi provider has fully updated the firmware — or let your technical consultant ask.

3. Install software updates.

Check your devices’ operating systems (including your own mobile devices and your computers) to ensure they are fully updated, including any patches or updated drivers that are available. (Microsoft has already released a patch, the KRACK patch for Android is supposed to become available Nov. 6, and an Apple fix is in beta.)

4. Use secure [HTTPS] website links only.

While your organization may be able to control your own server security, your online meeting program is a repository of outbound links — many of which are not secure. While not offering 100 percent protection from KRACK, using HTTPS (Hyper Text Transfer Protocol Secure) traffic adds a layer of protection. In a recent project, ATIV saw 95 percent of the exhibitor links pointing to an URL using HTTP (Hypertext Transfer Protocol) instead of the secure HTTPS. Ask your vendors to only accept URLs starting with https when entered into the form fields by your exhibitor or speakers.

To make your own browsing more secure, install the “HTTPS Everywhere” browser extension. And the Chrome browser also shows you if a site is secure or not.

5. Require suppliers to use URLS that begin with HTTPS.

While your event suppliers likely have a secure server set up, they may inadvertently be distributing URLs that begin with the non-secure HTTP, via APIs or data exports to integration partners. EventPilot, for example, works with large medical meeting and scientific conferences, some of which have as many as 20,000 sessions and abstracts, along with hundreds of exhibitors and ATIV imports data sets from multiple abstract management systems, registration providers, exhibit management companies, and others. Ask your vendors to review any outgoing data to ensure that it only contains secure URLs beginning with HTTPS.

6. Confirm that your event app vendor uses SSL (secure socket layer).

At large meetings, apps are likely to be the main access point to your conference program. EventPilot apps are generally used 60 to 100 times during the event by more than 80 percent of attendees — and most likely while attendees are using the venue’s Wi-Fi. The data transmitted by the EventPilot conference app to and from EventPilot servers is done over SSL to keep user data secure. Ask your own app vendor to confirm that your app is communicating securely with the app provider’s server.

7. Use a VPN — virtual private network.

A VPN (virtual private network) adds a layer of security to all information transmitted over Wi-Fi. When using a public Wi-Fi in your hotel or at your conference, always turn it on. If your organization doesn’t provide a VPN, choose a VPN provider carefully —review their websites first to see if their software is up to date in regards to KRACK.

8. Connect to the internet using alternatives to Wi-Fi.

If you have a cellular data plan, you can share your internet connection with other devices and set up a hotspot. But hotspots are typically used over Wi-Fi, which is now vulnerable to this attack. To add security, share internet via Bluetooth or USB and turn off Wi-Fi off completely, using your device “Settings” menu. If your speakers present sensitive information, provide Ethernet cables for their presentation computers, so they can connect directly to a router.

9. Don’t forget the Internet of Things.

If you use Wi-Fi enabled gadgets like cameras to monitor attendee traffic at events, ensure that those devices are secure. Don’t forget to check for firmware updates for all your home devices.

10. Educate your attendees and regularly remind them about security.

Use your event app’s notification feature to provide tips for more secure browsing. Include reminders to install security patches and firmware and system updates on all devices; to connect to hotspots using Bluetooth; to use a trusted VPN provider; and to install HTTPS Everywhere.

While there’s no need to panic over KRACK, Fleischer advises, “meeting planners and event professionals must be fully aware of security risks that their attendees are exposed to. You can mitigate some of the risks with the tips above and help your peers implement them by sharing this article.”

A version of this article appeared on LinkedIn. Follow Fleischer for more articles about event technology and conference apps.

What’s included?

Earn & Learn
Maintain your professional certifications with our industry-leading content for CMP and CASE in one convenient location.

30+ PCMA Webinars On Demand
Get the latest on technology, marketing, “how tos” and trends to push your events to the next level.

Checklists and Templates
From Risk Management, to room sets, PCMA provides you with the resources you need to get the job done.

Not available for purchase at this time

This course is currently not available for purchase. Please check back soon!

CASE Online Course

What is CASE?

The Certified Association Sales Executive 10 module online course is an interactive, self-paced, certificate course that fills your knowledge gaps, builds your business acumen and teaches you how to become an association mastermind. Discover how to anticipate the needs of your clients and be perceived as a partner, not just a vendor.

What’s Included?

Each of the first 9 modules features a self-assessment quiz to test your knowledge and ensure you have retained the course material

Modules 2-10 lead you through the steps to build an effective Account Plan for a client of your choosing; through research exercises and a SWOT Analysis you’ll identify opportunities on how you can best partner with your customers in the future

The course culminates with you presenting your strategic solutions to your target client and then guides you through a goal setting exercise you can apply to your future endeavors

Business Event Bootcamp

Take the next step to becoming an Event Producing rock star!

The strategies critical to keep business events vibrant, compelling and successful are constantly changing. Enter, the PCMA Business Event Bootcamp.

This online and self-paced event course is designed to give you and/or your team unlimited access to the latest trends and critical information for successful event planning.

Earn approved CE toward your CMP and CAE

Each module can be purchased separately for a customized learning program

Cost effective solution, built for your busy schedule

How can a team benefit?

Some corporations or associations don’t have the luxury of in house training that keeps their teams up on the latest success strategies for events. What happens after training is just as important as what happens during training.

Each module in the Business Event Bootcamp training program comes with a facilitator’s guide for team leaders. This guide is designed to help you navigate your team through each lesson and reinforce learning in the days and weeks following the training courses. Within each guide, you’ll have access to practical activities, reflection questions, and tools to take your team deeper into the course content and facilitate on-going conversations on the topics covered.